Hello everybody,

It's been about 2 weeks now that I'm looking for a solution and having no luck so I decided to write on this forum.

When I use NTLM authentication, my proxy make a "TCP_DENIED/407" for about every object on the web page I'm browsing (CSS, JS, images, ...) and it makes the surf very slow. It can take me over than a minute to render a simple page. I have read it's the way NTLM works to authenticate users. However, I would have expect it to do it once per page top.

When I turned it off and use basic authentication, the page's loading is very fast. That's how i suspected NTLM was the problem.

My aim is to authenticate users once by NTLM (unfortunately, I can not fallback on basic because I've been asked to make is as transparent as possible) and then don't authenticate them again until the browser is closed. Is there a way I can accomplish that ?

You can find part of my configuration at the end.

Thanks a lot for your time.


/*Begin Configuration*/
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 150
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

authenticate_cache_garbage_interval 2 hour

authenticate_ttl 30 minutes

authenticate_ip_ttl 1 hour

acl ad_auth proxy_auth REQUIRED

http_access allow ad_auth
http_access deny all

workgroup = *****
realm = *****.BE
security = domain
encrypt passwords = true

password server = srv-******.*****.be
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
/*End Configuration*/

/*Begin Programs' versions*/
Debian Squeeze (5.0.3)
squid3 - 3.1.3-2
samba - 2:3.4.8~dfsg-1
winbind - 2:3.4.8~dfsg-1
/*End Programs' versions*/